Taking TWIC beyond 'flash pass' status

More than a year after the Transportation Security Administration launched the Transportation Worker Identification Credential (TWIC) program, the market continues to wonder how and when it will fully leverage the biometric data contained inside these TWIC credentials.

TWIC cards are smart cards rich with security features and contain a dual interface integrated circuit chips, a magnetic stripe, and a linear bar code. Yet many of these cards today are only being used as a mere "flash pass." They are visually inspected to see if the photo matches the card holder and to determine if the card itself is authentic before permitting card holders access to highly secure properties and vessels regulated by the Maritime Transportation Security Act.

The reason that many of these TWIC cards have continued to be used as flash passes is that the TSA has yet to begin Phase Two of the TWIC program, where it may mandate that facilities use biometric readers to verify that the electronic biometric information stored within the TWIC matches that of the cardholder.

It's true that much of the market continues to use the TWIC card as a very basic form of identification and the reasons for this are simple. First, facilities don't know that grant money is available through the Department of Homeland Security to fund the purchase and implementation of biometric readers as part of the TWIC program. Second, facilities continue to wait for the TSA to issue a ruling about biometric reader technology to identify approved mobile and fixed reader devices.

Verifying TWIC: It can be done

Today, the TSA continues to test various biometric card reader technologies, but has not announced any formal mandates, a timeline for implementation or specific funding details. But it's a misnomer to think that no one is using the TWIC card beyond its flash pass status.

In fact, there are several forward-thinking organizations that have recently taken the initiative and implemented a TWIC credential validation program, enabling them to truly access the data and high security features inside these cards.

The Port of Wilmington, Delaware; The Jacksonville Port Authority and Marathon Oil are a few examples of facilities that implemented a TWIC credential validating program. These organizations, which operate ports and a petrochemical facility, are governed by the Maritime Transportation Security Act due to their location on our waterways, and could have waited for the TSA to make its decision regarding biometric card reading technology. Instead the organizations decided to take full advantage of the TWIC cards by deploying software that can read, validate, authenticate and register the TWIC card into their PACS database, and then continue to re-validate the TWIC by daily checking of the TSA hotlist Some locations also deployed fixed biometric TWIC readers at exterior gates.

The benefits to these facilities are vast because they can verify the validity of the TWIC card, check the card holder against the TSA hotlist, and revoke access privileges in real-time. Verifying TWICs before the final ruling also ensures that cardholders have been issued working credentials which otherwise may never be used until the final rule goes into effect.

When a facility uses a TWIC card merely as a flash pass, there's no sure way to know if it's a cloned or forged card, because the security features which reside inside the TWIC cannot be accessed without presenting the card to a card reader. This may lead to a potential for black market cards that are made to look like TWIC cards but are instead fake versions of the real credentials.

Checking the list

An important component directly linked to verifying TWIC cards is the TSA hotlist, a real-time database of revoked TWIC credentials. A TWIC can be revoked for a variety reasons, including certain criminal activities, such as murder, treason, espionage, or a Transportation Security incident, for example. However, most of the TWICs on the hotlist have been revoked because the cardholder lost his card or the TWIC itself needed to be replaced for some reason. This database of revoked cards is updated on a daily basis. Organizations that are proactively checking the TSA hotlist have been able to identify TWIC cardholders who should not be given access to secure areas.

Another benefit of the TWIC card is that it may be used as a physical access credential that can be read by FIPS 201-approved CHUID (cardholder unique identifier) readers at a door or gate to gain access to a facility. CHUID readers do not employ biometric technology but are able to read and process FIPS 201 credentials like the TWIC.

More Than a Flash Pass

Since the Port of Wilmington, Delaware already had an access control system in place, it was important to identify both software and hardware reader technology that would work with its existing 125kHz proximity cards and readers, equipment that was installed before the port became a pilot site for the TWIC smart card program.

For port officials, it was essential to register TWIC cards with its legacy access control system. Port officials wanted only one card for facility access control instead of having the complex task of managing multiple cards and card technologies.

In addition to selecting a biometric reader, another important aspect of the project involved selecting the software that would bring all the cardholder data together from the TWIC cards and its existing access control system. The port selected PIVCheck Plus software from Codebench, which drives three Datastrip mobile readers as well as resides on a desktop registration workstation in the port's main office.

Together, these systems are able to check TWIC cards against the TSA hot list and re-validate the TWIC card status daily or on a user-defined schedule, so security personnel can see what has changed and react to the status of cardholders. Even though checking the TSA hot list is not a current requirement, many ports, like the Port of Wilmington consider it a necessary step in ensuring the security of its facilities.

Taking the next step

While the industry waits for the TSA to issue specific guidance on how and what to deploy for biometric technology, these organizations, like the Port of Wilmington, recognize that moving ahead with harnessing the information contained on the TWIC card can only prove a boon to their security. Until fully utilized, the framework provided by the TWIC program is a significant improvement to maritime security. However some organizations are ahead of the game by moving beyond flash pass status to take the necessary step in linking their facility access control to real-time threat intelligence that may pose a potential threat to their organization.

Geri Castaldo, CodebenchAbout the author: Geri Castaldo is chief executive officer of Codebench, Inc. She can be reached at geri.castaldo@codebench.com.